Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Endpoint uses the Antimalware Scan Interface (AMSI) to provide better protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article explains how to test the AMSI engine by using a benign sample.
Prerequisites
- Microsoft Defender Antivirus (as primary) must be enabled, along with the following capabilities:
- Real-Time Protection (RTP)
- Behavior Monitoring (BM)
- Turn on script scanning
Supported operating systems
The following operating systems support this AMSI test scenario:
- Windows 10 and later
- Windows Server 2016 and later
Testing AMSI with Defender for Endpoint
In this demonstration article, you can choose from three engines to test AMSI:
- PowerShell
- VBScript
- JavaScript
Test AMSI with PowerShell
Perform the following steps to test AMSI by using PowerShell:
Save the following PowerShell script as
AMSI_PoSh_script.ps1:$testString = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386" Invoke-Expression $testString ```powershellOn your device, open PowerShell as an administrator.
Type
Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1, and then press Enter.The expected PowerShell output is as follows:
Invoke-Expression : At line:1 char:1 + AMSI Test Sample: 7e72c3ce-861b-4339-8740-8ac1484c1386 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At C:\Users\Admin\Desktop\AMSI_PoSh_script.ps1:3 char:1 + Invoke-Expression $testString + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand ```
Testing AMSI with VBScript
Use the following steps to test AMSI with VBScript:
Save the following VBScript as
AMSI_vbscript.vbs:REM Save this sample AMSI vbscript as AMSI_vbscript.vbs Dim result result = eval("AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386") WScript.Echo resultOn your Windows device, open Command Prompt as an administrator.
Type
wscript AMSI_vbscript.vbs, and then press Enter.The expected VBScript output is as follows:
Windows Script Host Script: C:\Users\Admin\Desktop\AMSI_vbscript.vbs Line: 3 Char: 1 Error: This script contains malicious content and has been blocked by your antivirus software.: 'eval' Code: 800A802D Source: Microsoft VBScript runtime error
Testing AMSI with JavaScript
Save the following JavaScript as
AMSI_jscript.js:// Save the following file as AMSI_jscript.js var result = eval("AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386") WScript.Echo(result);On your Windows device, open Command Prompt as an administrator.
Type
cscript AMSI_jscript.js, and then select Enter. The expected JavaScript output is as follows:C:\tools>cscript AMSI_jscript.js Microsoft (R) Windows Script Host Version 10.0 Copyright (C) Microsoft Corporation. All rights reserved. CScript Error: Loading script "C:\test\AMSI_jscript.js" failed (Operation did not complete successfully because the file contains a virus or potentially unwanted software. ).
Verifying the test results
In your protection history, you should see the following information:
Threat blocked
Detected: Virus: Win32/MpTest!amsi
Status: Cleaned
This threat or app was cleaned or quarantined before it became active on your device.
Details: This program is dangerous and replicates by infecting other files.
Affected items:
amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe
or
amsi: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
or
amsi: C:\Users\Admin\Desktop\AMSI_jscript.js
and/or you might see:
Threat blocked
Detected: Virus: Win32/MpTest!amsi
Status: Cleaned
This threat or app was cleaned or quarantined before it became active on your device.
Details: This program is dangerous and replicates by infecting other files
Get the list of Microsoft Defender Antivirus threats
You can view detected threats by using the Event log or PowerShell.
Use the Event log
Use the following steps to view detected threats in Event Viewer:
Go to Start, and search for
EventVwr.msc. Open Event Viewer in the list of results.Go to Applications and Services Logs > Microsoft > Windows > Windows Defender operational events.
Look for
event ID 1116. You should see the following information:Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/MpTest!amsi&t Name: Virus:Win32/MpTest!amsi ID: 2147694217 Severity: Severe Category: Virus Path: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Users\Admin\Desktop\AMSI_jscri Detection Origin: Local machine or Unknown Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Windows\System32\cscript.exe or C:\Windows\Sy Security intelligence Version: AV: 1.419.221.0, AS: 1.419.221.0, NIS: 1.419.221.0 Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9
Use PowerShell
Use PowerShell to list detected threats by following these steps:
On your device, open PowerShell.
Type the following command:
Get-MpThreat.You might see the following results:
CategoryID : 42 DidThreatExecute : True IsActive : True Resources : RollupStatus : 97 SchemaVersion : 1.0.0.0 SeverityID : 5 ThreatID : 2147694217 ThreatName : Virus:Win32/MpTest!amsi TypeID : 0 PSComputerName :